Lucene search

[email protected]NVD:CVE-2020-4049

HistoryJun 12, 2020 - 4:15 p.m.

CVE-2020-4049

2020-06-1216:15:10

CWE-80

CWE-79

[email protected]

web.nvd.nist.gov

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

2.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

47.0%

JSON

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Affected configurations

Nvd

Node

wordpresswordpressRange3.7–3.7.34

wordpresswordpressRange3.8–3.8.34

wordpresswordpressRange3.9–3.9.32

wordpresswordpressRange4.0–4.0.31

wordpresswordpressRange4.1–4.1.31

wordpresswordpressRange4.2–4.2.28

wordpresswordpressRange4.3–4.3.24

wordpresswordpressRange4.4–4.4.23

wordpresswordpressRange4.5–4.5.22

wordpresswordpressRange4.6–4.6.19

wordpresswordpressRange4.7–4.7.18

wordpresswordpressRange4.8–4.8.14

wordpresswordpressRange4.9–4.9.15

wordpresswordpressRange5.0–5.0.10

wordpresswordpressRange5.1–5.1.6

wordpresswordpressRange5.2–5.2.7

wordpresswordpressRange5.3.0–5.3.4

wordpresswordpressRange5.4–5.4.2

Node

fedoraprojectfedoraMatch31

fedoraprojectfedoraMatch32

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

VendorProductVersionCPE
wordpresswordpress*cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
fedoraprojectfedora31cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wordpress	wordpress	*	cpe:2.3:a:wordpress:wordpress::::::::
fedoraproject	fedora	31	cpe:2.3:o:fedoraproject:fedora:31:::::::*
fedoraproject	fedora	32	cpe:2.3:o:fedoraproject:fedora:32:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*